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Privacy amplification (PA) is an essential post-processing step in quantum key distribution (QKD) 
for removing any information an eavesdropper may have on the final secret key. In this paper, we 
consider delaying PA of the final key after its use in one-time pad encryption and prove its security. 
We prove that the security and the key generation rate are not affected by delaying PA. Delaying 
PA has two applications: it serves as a tool for significantly simplifying the security proof of QKD 
with a two-way quantum channel, and also it is useful in QKD networks with trusted relays. To 
illustrate the power of the delayed PA idea, we use it to prove the security of a qubit-based two-way 
deterministic QKD protocol which uses four states and four encoding operations. 

PACS numbers: 03.67.Dd, 03.67.-a, 03.67.Hk, 03.67.Ac 



I. INTRODUCTION 

Quantum key distribution (QKD) [l|,|2[ allows two par- 
ties, Alice and Bob, to share a secret key by exchanging 
quantum particles. The final secret key is secure against 
any eavesdropper, called Eve, with unlimited computa- 
tional power. Initial security proofs of QKD mostly focus 
on infinite key size and perfect equipment |3HlCj[. More 
recent security proofs take into consideration device im- 
perfection [UHlfll; while the effect of finite key size is 
explicitly considered in Refs. [l7l - l23j . 

QKD protocols usually involve two post-processing 
steps after the quantum state transmission step: error 
correction (EC) [24[ to make sure Alice's key is the same 
as Bob's and privacy amplification (PA) [2^, [26[ to en- 
sure Eve does not have any non-trivial information on 
the final secret key. The final secret key generated can 
then be used in a subsequent cryptographic application 
such as the one-time pad (OTP) [271 1 2 81 ] - 

In this paper, we consider running QKD without im- 
mediately running EC and PA. Assuming that OTP will 
be used as the next step, we delay the application of 
EC and PA until after the OTP, in effect performing a 
weakly secure OTP. Delaying EC is trivial and requires 
no extra attention since errors in the original key sim- 
ply translate into the same errors in the OTP-encrypted 
message, and bit errors do not affect the security of the 
message. On the other hand, delaying PA is non-trivial 
since normal PA ensures a key becomes secure first before 



being used, and now we use the insecure key first before 
making it secure. These two operations do not appear to 
be commuting, but we will prove that they do when we 
choose an appropriate PA scheme. By commuting, we 
mean that delayed PA is secure with the same security 
level achieved by the same PA function used to make the 
original raw key secure. In summary, we prove that de- 
laying PA after OTP does not affect the security and the 
key generation rate. Delayed PA will be the focus of the 
paper. 

At first glance, delaying privacy amplification does not 
appear to be of much use. However, after a more thor- 
ough thought, we find that it is useful on at least two 
occasions. First, it is useful in the secret key sharing 
between nodes in a QKD network where the nodes do 
not have a direct quantum link with each other but are 
separately connected to a common trusted relay. QKD 
is run between each node and the intermediate trusted 
relay, without running the full QKD post-processing. 
Some post-processing such as EC and PA may be de- 
layed!]] until two nodes decide to share a key together, in 
which case, these post-processing steps are run only be- 
tween them. This is particularly useful when the classical 
communication, computation, and/or energy costs asso- 
ciated with the trusted relay are high, for example, as 
in satellite- based QKD [29]. Thus, delaying some costly 
post-processing parts can be beneficial. In this paper, 
we do not discuss the trusted relay scenario but only the 
validity of delaying PA in a general manner. Delaying 
EC is more trivial since any two parties each holding a 
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bit string can remove errors between their strings by ex- 
changing error syndromes with each other. 

The second situation where delayed PA is useful is that 
we can use it to construct a two-way deterministic QKD 
protocol (DQKD) (3(il-l38j|. whose security against general 
attacks is fully proved in this paper. A two-way deter- 
ministic QKD protocol is a prepare-and-measure protocol 
in which each signal (in our case, a qubit) makes a round 
trip from Bob to Alice and back to Bob. In contrast to 
conventional qubit-based QKD such as the BB84 proto- 
col the correct measurement basis is always used in 
DQKD because the signals are both prepared and mea- 
sured by Bob. To encode a key bit, Alice simply applies 
some operation (based on her key bit value) on the qubit 
sent by Bob and then returns it back to Bob. Bob can de- 
code Alice's key bit by a measurement in the same basis 
as what he used to prepare the initial qubit. We remark 
that two-way deterministic QKD with continuous vari- 
ables has been shown to have the potential for enhancing 
the security threshold |39|. Delayed PA may serve as 
a tool for proving the security of two-way continuous- 
variable QKD. In this paper, we focus on qubit-based 
two-way DQKD. 

The security of qubit-based two-way DQKD had been 
a long-standing problem until our recent security proof 
of it [4(|. There, we directly compute the overall density 
matrix of Alice, Bob, and Eve for one particular two-way 
DQKD protocol in which Alice uses two operators for the 
encoding of her bit. In this paper, we consider a different 
qubit-based two-way DQKD protocol in which Alice uses 
four encoding operators, and prove its security using the 
delayed PA idea. We show that this particular protocol 
resembles the integration of the BB84 protocol and OTP. 
Because of this, our analysis is significantly simplified 
since the security of the DQKD protocol against general 
attacks will then directly derive from that of the BB84 
protocol and OTP [H|. We simply rely on the 

security results of the latter. Our proof idea is to convert 
the integrated scheme to the DQKD protocol through a 
series of equivalent protocols. We remark that the idea of 
integrating QKD with OTP has been proposed before by 
Deng and Long 35] without a rigorous security analysis. 
The scheme of Deng and Long runs in a batch-after-batch 
manner where a batch of qubits received by Alice on the 
BB84 channel is stored in quantum memory first before 
they are used as a batch for OTP encryption, in contrast 
to our scheme in which each qubit is returned to Bob 
immediately after reception by Alice. 

The organization of the paper is as follows: After re- 
viewing some preliminaries in Sec. UH we first prove the 
security of delayed privacy amplification in Sec. IIII1 This 
will be an important tool that we will use in the con- 
version to the DQKD protocol. The DQKD protocol is 
described in Sec. [TV] and the detailed discussion of its 
security proof based on the conversion argument is ex- 
plained in Sec. |V] To begin the conversion, we outline 
the initial protocols of the conversion process in Sec. IV Al 
Then we discuss the conversion process in Sec. IV Bl We 



conclude in Sec. I VII 



II. PRELIMINARIES 



A. Notations 



Bit strings are represented as vectors with elements in 
GF(2), where GF(q) is the Galois field with q elements. 
We use k to denote such a vector and k[i] to denote the 
ith bit. We define the projector function P(\(j))) = |^>)(</>|- 
We denote the Pauli matrices by 
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Y = iXZ. 



and the corresponding eigenstates by {\0 W ), \^w)} where 
w = x,y, z. 

B. Security measure 

We adopt the universal composability definition of se- 
curity first proposed by Canetti [4l|. This definition 
quantifies the security of a cryptographic primitive in 
terms of its deviation from the ideal functionality. The 
notion of universal composability has been extended to 
the QKD setting 



al comp' 

mill. 



Definition 1 ( [T(J, H, H5| ) • A classical random variable 
K (representing the key) drawn from the set /C is said 
to be e-secure with respect to an eavesdropper holding a 
quantum system E if 



■^\pke - Pu ® Pe\< e 



(1) 



where pre = J2keic p K{k)\k) (k\ ® p E \ K=k is the state of 
the systems K and E, Pic(fc) is the probability of having 
K — k, pu — J2k£ic I^XWI^-I represents an ideal key 
taking values uniformly over IC, and \JC\ is the size of /C. 
Here, Tr |^4| = J2i M where Aj's are the eigenvalues of 
A. 

QKD expands a shorter secret key to a longer one. 
When one round of QKD that is ei-secure expands on 
a key generated by a previous round of QKD that is ti- 
secure, the composition of the two rounds is (ei + e%)- 
secure [431. 



C. Additive functions 

In this paper, we consider PA functions that are addi- 
tive. A function f : GF(q) N ^ GF(q) NpA is said to be 
additive if f{a + b) = /(g) + f(b) for all a, b e GF(q) N 
and the addition operators are defined in the respective 
fields. For prime q, the function / is additive if and only 
if it can be expressed in the form of matrix multiplication 
/(a) = Aa where addition and multiplication are defined 
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in GF(g). The "if" part of this statement is obvious. To 
prove the "only if" part, note that additivity implies lin- 
earity when q is prime since every a £ GF(q) N can be 
expressed as a pure summation of unweighted basis vec- 
tors of some basis (e.g., a weighting of 2 is broken down 
into a sum of two terms as in a = 2v — v + v, with v being 

a basis vector) and f(a) = J2iLi /( a H^i) = J2i «[(]/(«*)> 
where Vi's are the basis vectors. Thus, the columns of A 
are f(vi)'s. 

We work in GF(2) throughout the paper and so q = 2 
and we can always consider PA functions of the form 
/(a) = Aa. For q = p r being a power of a prime, we 
can also restrict additive / to be of the same form in the 
following sense. We may view GF(g) as a vector space 
over its sub field GF(p), since any element of GF(g) can 
be written in the form J3j = i7ift, where 7; £ GF(p), 
Pi £ GF(q), and Pi cannot be expressed in the form y/3j 
for j i and some 7 £ GF(p). This means that an 
element of GF(g) can be represented as a length-r vector 
with elements 7^. Thus, when we express the PA function 
in the prime field so that / : GF{p) rN -> GF(p) rNpA , the 
statement that / is additive if and only if /(a) = Aa 
for all a £ GF(p) rN also holds. Of course, this does not 
mean that / can be expressed as Aa for all a £ GF(p r ) N . 

Note that the number of additive PA functions grows 
exponentially as N increases. This makes Eve's job to at- 
tack a key distribution scheme more difficult with larger 
N as she has to make guesses on the PA function to 
be used by Alice and Bob in order to customize her at- 
tack. Also, additivity is not a very strong constraint and 
additive functions are commonly used. For example, in 
Toeplitz matrix based PA [111, 0, HI, Hi]], the PA function 
/(a) = Aa is additive where A is a Toeplitz matrix. 

A property of an additive function / is that any image 
of / is a translation of the kernel by some offset. This 
means that the number of elements in every image is the 
same. We will this property in the proof of Theorem [TJ 



Bob 




Eve 




Alice 



BB84 



Imperfect key 



a 



Secure key after PA /( a ) 



Received data /(o)ffim'-^- 

I 

Secret message 



OTP 



/(a)ffim' 



3 



(a)BB84 with normal PA and OTP. 
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(b)BB84 with PA delayed after the OTP. fh can be regarded as 
the expanded version of the secret message fh' . 

FIG. 1. Overview of delayed privacy amplification. The mes- 
sage fh! is secure in both situations, even though Eve sees 
different strings in the OTP channel. We show in Theorem Q] 
that security is not affected by whether Eve sees f(a) ©m' or 
a © rh. Here, / is the PA function which shortens its input 
and the arrow of the BB84 channel indicates the direction of 
the qubits. 



III. DELAYED PRIVACY AMPLIFICATION 

Suppose Alice has an TV-bit raw key a on which Eve 
has some information. The raw key, which may not be 
completely secure, can be turned into a shorter secure 
final key by applying PA. Bob initially holds an iV-bit 
raw key b which is a noisy version of a and for the current 
discussion of delayed PA, we assume that Bob can correct 
all errors so that he also holds a. We denote the function 
chosen by Alice and Bob for PA as / (mapping N bits 
to Apa < N bits) and the secure key shared between 
Alice and Bob as f(a). Normally, to encrypt an Apa- 
bit message m', Alice computes f(a) 93 fh' and sends it 
to Bob. Bob can recover the original message fh! by 
XORing3 the encrypted message with the shared key /(a) 



(see Fig. 1(a)). Eve, in the middle of Alice and Bob, 



can see the encrypted message /(a) ©m', but cannot get 
information on the original message rh' because she does 
not know /(a). 

In a delayed PA scheme, Alice expands the original 
message rh! to fh for encryption with the pre-PA key 
a. We call the expanded message fh the PA-inverse of 
fh' . To do this securely, as we show below, Alice should 
choose fh (an ./V-bit string) uniformly among all strings 
that satisfy fh' = /(to). Alice then sends a © fh to Bob 
(see Fig. |l(b) ). We demand that / be additive. Thus, 



anyone who receives this string can apply / to get /(a© 
to) = /(a) © to', which is the encrypted message sent 
in the normal OTP situation. In particular, Bob can 
recover the original message by applying / and XORing 



2 Exclusive OR (XOR), denoted by ©, is an operation on two bits, 
such that i © j = if both i = j and i © j = 1 otherwise. XOR 



can be extended to become an operation on two bit strings by 
XORing each bit pair independently. 
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with the shared key f{a). Alternatively, Bob can recover 
the original message by XORing the received data with 
the pre-PA key a and applying /. The security of the 
original message in' is not obvious, as Eve sees a © m in 
this delayed PA scheme, not /(affim) in the normal OTP 
scheme. Nevertheless, we show in the following theorem 
that the security of the delayed PA scheme is identical to 
that of the normal OTP scheme. 

Theorem 1 (Security of delayed privacy amplification). 
Given an additive function / that maps an A-bit string to 
an ApA-bit string and that the final key f(a) for some a 
is e-secure against Eve according to security Definition [T] 
then, for some ApA-bit message in! chosen independently 
of a, in' is e-secure against Eve (i.e., with the same se- 
curity level) when she sees a © to, where in is uniformly 
chosen among all strings that satisfy in! — f(m). 

Proof. Due to the security of OTP, in! is secure when 
Eve sees /(a) © in! . Starting with this condition, we 
convert it to the final condition claimed in the theorem. 
Let / _1 [a] be the inverse image of a under /. Thus, 
Eve seeing /(a) ©to' is effectively the same as Eve seeing 
f~ 1 [f(a) ©to'] since Eve knows / and thus can compute 
the former given the latter and vice versa. First note 
that / _1 [cZ] has 2 N ~ NpA elements irrespective of a. This 
is because / is additive and has the form f(a) = Aa 
where A is an Apa x A matrix. So, every inverse image 
is in fact an affine subspace that can be translated to the 
kernel of / by an offset. Hence, all inverse images f~ l [a\ 
for all a have the same number of elemento This is 
important since this allows us to use a random variable v 
independent of a to select an element in the set / -1 [<3]. 
The variable v has a fixed range and is drawn uniformly. 

As the final part of the argument, note that giving 
Eve a random element of / _1 [/(a) © to'] chosen accord- 
ing to v is equivalent to Eve seeing all the elements of 
f l [I{o) © m '} an d v. Since v is independent of the el- 
ements of / _1 [/(a) © to'], knowing v gives Eve no ex- 
tra information about /(a) or to' over what knowing 
f l [f{o) © m> ] gives. Thus, from Eve's point of view, 
seeing a random element of the set / _1 [/(a) © to/] is 
equivalent to seeing the whole set. Choosing s uniformly 
in / _1 [/(a) © to'] means choosing s uniformly such that 
f(s) = f(a) ©to' or /(s©a) = in! . By defining to = sffia, 
we arrive at the claim of the theorem. □ 

Remark 1. We note that delaying privacy amplification 
does not affect the security and the key generation length. 
The reason is as follows. Theorem [T] proves that the same 
security level is achieved by delaying PA with the same 
PA function. Since the PA function defines the final key 
length, the key generation length is not affected. 



A. Special messages 

We note the following special cases: 

• (Random message) If the original message in! is 
also uniformly chosen (acting as a key), in can be 
uniformly chosen without regard to the condition 
m' = /(to). 

• (Imperfect key as message) If the original message 
to' is an imperfect key, we can delay the PA of it 
together with a. For instance, suppose that to' = 
g (a') is secure after applying the PA function g to 
the insecure key a'. Then, the encrypting party can 
send a ©to, where in is uniformly chosen among all 
strings that satisfy g(a') — /(to). 



B. Computation of the PA-inverse 

To apply the delayed PA scheme, given the original 
message to', Alice needs to compute its inverse by choos- 
ing to uniformly among all strings that satisfy to' = 
/(to). Here, we offer a method that Alice can use to 
compute the PA-inverse to. Note that this is one possi- 
ble method, there may be other methods with different 
efficiencies to perform the same task. 

Our method goes as follows. Since / is imposed to be 
additive, it can be represented by a matrix multiplication 
in GF(2), the finite field of two elements: 



to' = /(to) = Am 



(2) 



where A is an Apa x A matrix with entries in GF(2). 
Multiplication of two elements is ANE0, while addition 
is XOR. 

We assume that the rows of A are linearly indepen- 
dent. Thus, we can apply row operations (XOR of two 
rows) based on Gaussian elimination to express A in up- 
per triangular form: 



A = R 



••• * ••• 
••• * 



(3) 



where the last row has Apa — 1 zeros at the beginning 
and R is an Apa x Apa matrix representing the row 
operations with RR = I. Thus, given i?m', we can find 
to by randomly choosing the last A — Apa elements of 
to and successively determining the remaining elements 
of to by using the triangular structure. 



3 Sec. IIII Bl describes the computation of / 1 [a] and shows explic- 
itly how to find the 2 N ~ NpA elements for a given a. 



4 AND is an operation on two bits such that i AND j 
when i = j = 1. 



1 only 
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C. Example usage: a simple relay 



Bob 



Eve 



Alice 



Suppose Bob and Charlie want to establish a secret 
key, but they do not have a direct quantum link with 
each other. Instead, Bob has a quantum link with Alice 
(a relay) who has already shared a huge supply (denoted 
as pool V) of perfectly secur^l key bits with Charlie. 
Normally, Alice and Bob would run BB84 to generate 
from an iV-bit raw key a an Npa < iV-bit final key /(a). 
With this key, Alice can OTP-encrypt Npa bits from 
pool V and send the cipher text /(a) ® m' to Bob, where 
in' denotes the bits from the pool. Bob then recovers 
the confidential message fn' that Charlie knows and this 
completes the task of sharing a key between Bob and 
Charlie through Alice. If the key /(a) is e-secure against 
Eve according to the universally composable definition in 
Definition [TJ the originally perfectly secure key fn! now 
becomes e-secure. 

Suppose that the costs of classical communication, 
computation, and/or energy of Alice are high. PA can 
be costly in these aspects. In particular, performing PA 
requires one party to transmit the full specification of 
the PA function /(•) to the other party. For example, 
Toeplitz matrix based PA needs N + Npa ~ 1 bits to 
specify [22|, [2^, |4|| H3] , which can be a big number when 
the block size is large. Also, performing Toeplitz ma- 
trix based PA requires large matrix multiplication, which 
translates to large computation and energy needs. These 
can be costly for a satellite relay, for example. In order 
to reduce these costs, Alice and Bob can delay PA and 
turn it over to Bob and Charlie. To illustrate the idea of 
delayed PA, we assume for simplicity that bit and phase 
error testing and error correction are performed between 
Alice and Bob as normal. Based on the phase error rate, 
Bob as in the normal situation decides a particular PA 
function /. But instead of telling Alice about /, Bob tells 
Charlie about it. Now, with delayed PA, Alice can take 
N bits from pool V and directly OTP-encrypt them with 
the raw key a. This iV-bit cipher text a©m is transmitted 
to Bob, where m denotes the N bits from the pool. Bob 
recovers m, which Charlie knows. Both Bob and Char- 
lie apply PA / to share a final secret key f{fh), which 
has length Npa and is e-secure according to Theorem [TJ 
This generates the same key as in the normal situation 
without delayed PA. Note that in this example, we sac- 
rifice more key bits between Alice and Charlie to save 
the communication, computation, and/or energy costs of 
Alice. 



w=z:{\O z ), \l z )} 
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Forward quantum channel 



{I,X,Y,Z} 



5 We assume for simplicity that the perfectly secure key is estab- 
lished by face-to-face key exchange. 



Backward quantum channel 

FIG. 2. Protocol DQKD. Bob chooses one of the four qubit 
states to send to Alice on the forward channel. She applies 
one of the four operations to encode her key bit and returns 
the qubit to Bob on the backward channel. Bob measures the 
received qubit in the basis he originally used for the forward 
qubit. The value of Alice's key bit depends on Bob's basis 
(see Table |U. 



IV. TWO-WAY DETERMINISTIC QKD 
PROTOCOL 



Fig. [5] illustrates the two-way deterministic QKD pro- 
tocol we consider in this paper, which we call Protocol 
DQKD. The steps of Protocol DQKD are as follows. Note 
that here and in the rest of paper, we present protocols in 
the context of Koashi's security analysis [l2j in which pre- 
shared secret keys are used for encrypted communications 
of error correction information. However, paradigms of 
other security analyses are applicable as well. 

1. (Qubit transmission) Bob sends qubits to Alice 
taken in {|0 2 ), l z ), \0 X ), 1 1^) } on line B-to-A. 

2. (Encoding) For each qubit received by Alice, she ei- 
ther measures it with a random basis (check mode) 
or applies a random operation to it before return- 
ing it to Bob via line A-to-B (encoding mode) . We 
call the qubit in the check mode a test bit and in 
the encoding mode a code bit. The operation she 
applies in the encoding mode is /, X, Y , or Z cho- 
sen with uniform probabilities. It does not matter 
whether she returns a qubit to Bob via line A-to-B 
in the check mode. 

3. (Measurement by Bob) Bob measures each qubit 
received on line A-to-B in the same basis as the 
one he used for the state he sent to Alice on line 
B-to-A in Step 1. 

4. (Channel estimation) After transmission of all 
qubits, Alice and Bob estimate the bit error rate 
ei, and phase error rate e p of line B-to-A using the 
test bits measured in check mode in Step 2. They 
can do this by comparing their bit values of those 
qubits that Alice measured with consistent bases. 

5. (Key reconciliation) Bob announces to Alice the 
basis used for each code bit. Alice constructs her 
key bit value based on the basis (see Table |TJ: when 
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Basis 


Bit value 





1 


X 


{i,x} 


{Z,Y} 


z 


{I,Z} 


{X,Y} 



TABLE I. Key bit value dependence on the basis used by Bob 
(x or z) and Alice's encoding operation (J, X, Y , or Z). For 
example, when Bob uses basis z, bit 1 is encoded by Alice if 
she applies X or Y on the qubit sent by Bob. 



the basis is x, the key bit is (1) if she applied I 
or X (Z or Y); when the basis is z, the key bit is 
(1) if she applied I or Z (X or Y). Bob uses the 
same rule to decide the key bit value. Note that 
Alice and Bob do not discard any code bit. There 
is no basis reconciliation step. 

6. (Key bit error testing) Alice and Bob test for the 
error rate in the key bits by comparing a subset 
of them. The remaining key bits form their raw 
keys, a for Alice and b for Bob. We denote the 
length of them by N. 

7. (Final key generation) Alice and Bob choose a pri- 
vacy amplification function /(•) that is additive and 
maps N bits to A/pa = N[l — h(e p )] bits. Alice ap- 
plies privacy amplification to her raw key a to ob- 
tain the final key k = f(a). She sends Bob Nh(e^~) 
bits of error correction information encrypted with 
pre-shared secret bits. This allows Bob to correct 
his raw key b to match Alice's a. Bob then applies 
PA to get the same final key k. 



The net key expansion length is 

iVkey.two-way = N[l ~ h(ef ) - h(e p )}. 



(4) 



In Sec. IV B| we will show that the newly generated key 
with length A^pa is secure, thus the net key gain given 
in Eq. (|4]) is achievable. We will prove this by combin- 
ing the BB84 protocol and the OTP protocol, and then 
successively converting the OTP protocol to finally form 
the two-way DQKD protocol given here. 

An interesting feature of two-way DQKD is that every 
code bit encoded by Alice in the encoding mode will be 
used for the final key generation without being wasted 
due to measurement basis mismatch. There is no basis 
reconciliation for the key bits and this is why the protocol 
is called deterministic This is in contrast to the original 



6 Note that the term deterministic was first introduced in Ref. |3(J 
to mean that when Alice wants to send (or 1) to Bob, she can 
encode her bit definitely. This makes sense in quantum direct 
communication, but not QKD. We borrow this term to the QKD 
setting but only use it to mean that every code bit will be used 
to generate the final key, instead of that every code bit is the 
final key bit. This is because Alice and Bob need to run privacy 



BB84 protocol where half of the code bits are discarded. 
On the other hand, the efficient BB84 protocol [48[ allows 
all code bits to be used as well, but only asymptotically. 
Therefore, in finite-length situations, two-way DQKD is 
still more efficient in using the code bits. 

Note that the test bits in the check mode of two-way 
DQKD are measured by Alice with a random basis and 
thus are subject to discarding due to basis mismatch. 
Thus, the check mode performances are the same in two- 
way DQKD and BB84. 

A disadvantage of two-way DQKD is that the quantum 
signals emitted by Bob suffer from twice the channel loss 
compared to BB84. 



V. SECURITY PROOF OF TWO-WAY DQKD 

The security proof of the two-way DQKD protocol is 
based on arguing for the equivalence of the protocol with 
an integrated scheme, and thus the security of the former 
directly follows from that of the latter. The integrated 
scheme consists of the BB84 protocol on the forward line 
and one-time pad on the backward line. The security of 
both are well established [j^ H [H HI]. Starting with 
the integrated scheme in Sec. IV A\ we will convert it to 
the two-way DQKD protocol in Sec. IV Bl 



A. Original Protocols for constructing two-way 
DQKD 

Here, we outline the steps of the BB84 protocol and 
OTP, which serve as the starting point of the conversion 
process. 



Protocol 1 on line B-to-A: BB84 

We can view the line from Bob to Alice as a BB84 
key distillation step. The steps of BB84 are shown be- 
low, where we assume for simplicity the use of quantum 
memory to avoid the step of discarding bits measured 
with inconsistent bases. 

Protocol 1 (BB84 with quantum memory) on line B- 
to-A: 

1. Bob sends N + N tcs t qubits to Alice taken in 
{|0»},|l»),|0»),|lx>}. 

2. Alice stores all N+N tes t received qubits in quantum 
memory. 



amplification which is determined only after Alice has encoded 
all the raw key bits. Privacy amplification will then turn Alice's 
raw key bits to a new bit string that is different from what she 
initially sent. 
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3. Bob announces the basis of each qubit, and Alice 
measures her qubits in the corresponding bases. 

4. Alice and Bob randomly select A test test bits to 
find out the bit error rate e& and phase error rate 
e p for this line B-to-A0 Alice and Bob choose a 
privacy amplification function /(•) that is additive 
and maps A bits to iVpA = A(l — h(e p )) bits. 

5. The final secret key is derived from Alice's raw 
key as an ApA-bit string k = /(a). To allow 
Bob to obtain the same final key, Alice sends Bob 
Aec = Nh(eb) bits of error correction information 
encrypted with pre-shared secret bits of the same 
size so that Bob can correct his raw key b to become 
a. He then applies the same privacy amplification 
function /(•) to get the final key k. 

Now, according to Koashi's security proof of the BB84 
protocol (see also other proofs [6-9]), the final key 
k is secure against Eve with the the net key expansion 
length as 

A koy = A PA - A EC = N[l - h(e b ) - h(e p )}. (5) 



Protocol 2 on line A-to-B: one-time pad 

We can view the line from Alice to Bob as a one-time 
pad encryption step. 

6. Alice encrypts an ApA-bit message f(rh) with the 
secret key k with one-time pad and sends the en- 
crypted message /(to) © k to Bob over a classical 
channel. (As we will see later, rh will be chosen 
randomly with uniform probabilities.) 

7. Bob decrypts his received data with key k to get 
the secret message /(to). 

Here, Eve sees /(to) © k on line A-to-B and the message 
/(to) is secure against her because of the security of one- 
time pad 



B. Conversion from original protocol 

We successively convert the original Protocol 2 to new 
Protocols 2b, 2c, and 2d, while maintaining the same se- 
curity in each step to finally arrive at the two-way DQKD 



7 The average quantum bit and phase error rates e;, and e p are 
related to the classical bit error rates in the x basis test bits and 
the z basis test bits, denoted as e x and e z respectively. Asymp- 
totically, the quantum bit error rate and the phase error rate 
for the remaining x (z) basis bits are e x and e z respectively (e z 
and e x respectively). Thus, the average quantum bit error rate 
is = (e x + e z )/2 and the average quantum phase error rate 
is e b = (e z + e x )/2. Even though they are the same, we use 
separate symbols for them to emphasize their meanings in secret 
key distillation. 
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|Protocol 2d: Quantum OTP, with depolarizing channel| 



(c) 



FIG. 3. (Color online) Protocols 2b, 2c, and 2d are equiv- 
alent. The equivalence between Protocols 2c and 2d can be 
understood intuitively by noting that both a measurement 
and a depolarizing operation disentangle line B-to-A and line 
A-to-B. This is rigorously shown by comparing their density 
matrices in Eq. ([6]) of Protocol 2c and Eqs. (JH])-© of Protocol 
2d. We identify the message bit mi (012) of Protocol 2d with 
m of Protocol 2c when w = 2 (w — x). Thus, Protocol 2d 
requires Bob to inform his basis w to Alice so that she knows 
whether mi or 7712 is used for the final key generation. In all 
cases, privacy amplification / is delayed after OTP to gener- 
ate the final secret key f(rh), and the top part of each figure is 
Protocol 1. Here, we assume for simplicity that the backward 
line A-to-B is noiseless, but noise can be incorporated easily 
(see Sec. IV C]) . QC: quantum channel; CC: classical channel. 
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protocol. Figure [3] shows the equivalent protocols and 
they are described in more detail in the following. 

Protocol 2 b on line A-to-B: one-time pad with 
delayed privacy amplification 

6. Alice encrypts an TV-bit random message to with 
her raw key a with one-time pad and sends the 
encrypted message mffiato Bob over a classical 
channel line A-to-B. 

7. Bob recovers the secret message /(to) as follows. 
He applies privacy amplification to his received bits 
to get /(to ffi a). Due to the additivity of /(■), his 
received data is /(to) ffi f(a) = /(to) ffi k which he 
can decrypt with the same key k to recover the mes- 
sage /(to). Alternatively, he can XOR his received 
string to © a with the raw key a and apply privacy 
amplification / to recover the message /(to). 

Here, Eve sees to ffi a and this is different from the situ- 
ation in Protocol 2. Nevertheless, as we have shown in 
Theorem [T] the security of /(to) is the same as that in 
Protocol 2, meaning that Eve cannot get any information 
about /(to). 

Protocol 2c on line A-to-B: one-time pad on 
quantum channel, with measurement 

Line A-to-B is now regarded as a quantum channel, 
even though we use it for the communication of the 
classical OTP-encrypted message. We encode the OTP- 
encrypted classical message in Step 6 of Protocol 2b TOffia 
in a quantum state so that it can be carried by the quan- 
tum channel. This is easily done by encoding each bit in 
the eigenstate of some basis. Here, we assume that the 
basis used is the same basis w — x, z Bob used to encode 
his qubit on line B-to-A. Also, we assume for simplicity 
that Alice knows w for each bit. Thus, the iV-qubit state 
Alice sends is | (TOffia)^) = ®^ \(fn[i] ®a>[i])w[i]) where 
the index i denotes the ith bit for the message, key, and 
basis. The modified steps are as follows: 

6. Alice encrypts an TV-bit random message to with 
the raw key a with one-time pad and sends the en- 
crypted message |(to ffi a)^) to Bob over the quan- 
tum channel line A-to-B. 

7. Bob measures the N qubits received from line A-to- 
B in basis w to recover the OTP-encrypted message 
TOffia. He recovers the secret message /(to) as in 
Step 7 of Protocol 2b. 

Overall density matrix 

We first consider the state for the ith bit 

shared after Alice received her TV qubits from line B- 



to-A (where system A is the ith qubit received by Alice 
on line B-to-A and system A includes all the remain- 
ing systems including Eve's and Bob's states for the N 
transmissions and Alice's remaining N — 1 qubits). To 
simplify notation, we drop the index i from all symbols 
(including ^[i]), w[i], and a[i]) in the following since we 
always deal with the ith qubit. This state |^) is the 
state before Alice decides to send anything on line A-to- 
B. In Protocol 2c, Alice measures her state of A in basis 
w = x,z using the projection {|0 lu )(0 lu |, |l u ,)(l u ,|}. So 
the overall state becomes J2 a =o i l ™)^ 1 ^ ' w ))A\ a )A' 
where \^(a,w)) A = (a w \ A ffi Ia\^} aa an d system A' is 
the ancilla for storing the measurement result. We specif- 
ically isolate the raw key bit a in system A' so that we can 
use it to perform OTP with the message bit m. Next, Al- 
ice prepares a random message 2 _1 J2 m =o l l m )M( TO l an< ^ 
runs controlled- Z (if w — x) or controlled- A (if w = z) 
on systems M (as control) and A. This is equivalent 
to the OTP encryption resulting in the overall density 
matrix 

Pmaaa' = \ XI l m M m l ® 
m=0,l 

P \(m®a) w ) A Ma,w)) A \a) A , J , 

\a=0,l / 

in which system A is sent by Alice on line A-to-B to Bob 
and system M is her message bit. 

After the OTP encryption, the raw key bit a is no 
longer needed. Thus, we trace over system A 1 to get the 
overall state 

Pmaa = \ p (\ m )M\( m ®a) w ) A \^{a,w)) A ).(6) 

a=0,l 
m=0,l 

Note that tracing over system A 1 which contains the raw 
key bit does not mean giving the raw key bit to Eve. 
Eve's state is contained in system A. The state in Eq. © 
is important for our discussion since it contains all the 
relevant systems in the protocol. In fact, Protocol 2d in 
the next section will be shown to be equivalent to Pro- 
tocol 2c here by showing that the corresponding states 
there are the same as Eq. ([5]). 



Protocol 2d on line A-to-B: one-time pad on 
quantum channel, without measurement 

In the previous Protocol 2c, the measurement by Al- 
ice disentangles line B-to-A and line A-to-B. Therefore, 
to come up with an equivalent protocol without a mea- 
surement, we need to reproduce this disentanglement 
feature and at the same time achieve the same over- 
all state in Eq. ([6]). One way to do this is by replac- 
ing the measurement by a depolarizing channel. Start- 
ing with the same initial state 1^}^^ for the ith bit 
as in the previous subsection, Alice performs randomly 
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with uniform probabilities the operations, /, X, Y, or 
Z on each of her N qubits independently. We ex- 
press this random operation as Alice using a mixed state 
4 ~ 1 Em 1 ,m 2=0 ,i \mim 2 ) MlM2 {m 1 m 2 \ to control the four 
operations on system A: 

\^) A A^\ -> J l m l m 2) Ml M 2 ( m l m 2l ® 

m i , fti 2—0,1 

(i mi z™ 2 ) A |$) M ($|(r 2 i mi u (7) 

Here, we assume Alice holds the purification of this mixed 
state. Tracing the right hand side over M\ or M2, simple 
calculations (see Appendix [A"| lead to 

P Mi aa= \ E P (NMj( m i ®a)z) A \^(a,z)) A ) (8) 

a=0,l 
mi=0,l 

Pm 2 aA =\/2 P TO2 > m 2 K™2 © a) x ) A |*(a, x))^) (9) 

a=0,l 
m 2 =0,l 

Note that Eqs. © and © are expressed in terms of bases 
z and x respectively, regardless of the actual basis w used 
by Bob to encode system A. 

We argue that Protocol 2c and Protocol 2d are the 
same as follows. Eqs. ([8]) and (|9|) represent the final over- 
all state of Protocol 2d and we compare them to that of 
Protocol 2c in Eq. ©. We can see that when w = z 
(w = x), we can identify mi in Eq. ([8]) (Eq. (J9))) with m 
in Eq. ©. Thus, when w = z (w = x), we can regard 
that Alice's message bit is in mi (1712). Once the basis 
w is publicly announced by Bob, all of Alice, Bob, and 
Eve will know whether mi or 11J2 will be used by Alice; 
in other words, they will know which of Eqs. ([8]) and 
© describes the situation. Therefore, Protocol 2c and 
Protocol 2d are the same from Eve's and Bob's points of 
view. 

In Protocol 2d, we need a step for Bob to inform Alice 
about w so that she knows whether mi or mi is her 
message bit. Note that when Alice performs one of the 
four operations of the depolarizing channel, she does not 
know what the message bit value is (unless mi = m-z). 
After Bob receives his qubit, he announces to Alice his 
basis choice w and only then does Alice know the value 
of her own message bit. 

The modified steps of Protocol 2d are as follows: 

6. Alice chooses two ./V-bit random messages m\ and 
m 2 . For each qubit received from line B-to-A, she 
applies Z if m<x = 1 and applies X if mi = 10 
The qubit is then forwarded back to Bob via line 
A-to-B. 

7. Bob measures the N qubits received from line A- 
to-B in basis w which he has used in Step 1. 



8. Bob announces to Alice the basis for each qubit. 
If the basis is z (x), Alice's message bit is mi 
(m 2 ). So in the previous step, Bob's measured 
qubit corresponds to Alice's OTP-encrypted mes- 
sage bit mi © a (for w — z) or m 2 © a (for w — x). 
He recovers the secret message /(m) as in Step 7 
of Protocol 2b, with the appropriate substitution 
mi —¥ m or m 2 — > m for each bit. Alice also con- 
structs the secret message /(m) with the same sub- 
stitution. 

Therefore, when line A-to-B is noiseless, Alice and Bob 
will share the message bit mi (for w = z) or m 2 (for 
w = x). When line A-to-B is noisy, we can add further 
error testing and error correction for m, which we have 
omitted for simplicity of discussion. Finally, we note that 
combining Protocol 1 and Protocol 2d essentially gives 
Protocol DQKD given in Sec. HvFI Thus, we have proved 
the security of Protocol DQKD. 

We remark that it makes sense that Alice's message 
bit depends on the basis used by Bob. Because when 
Bob initially sends, for example, a z-eigenstate to Alice 
via line B-to-A, only Alice's X operation (controlled by 
mi) will bit flip the state, and so mi should become her 
message bit. 

C. Key generation rates 

In Protocols 2, 2b, 2c, and 2d, we assume that the fi- 
nal key is derived from applying privacy amplification to 
Alice's raw key: k = /(a). Bob is responsible for cor- 
recting his raw key to match Alice's. To ensure security, 
Alice's message m is shortened to TVpa = N{1 — h(e p )) 
bits of secure message /(m), where e p is obtained from 
Step 4 of Protocol 1. In the discussion so far, we have not 
considered errors on line A-to-B. Errors on line B-to-A 
cause Alice's raw key to be different from Bob's raw key 
such that b = a © el, where el is the error pattern with 
an error rate of e\, (cf. Step 4 of Protocol 1). Errors on 
line A-to-B cause Bob to receive m © a © €2 in Step 6 of 
Protocol 2b, where €2 is the error pattern on this line and 
could be correlated with el. Thus, when Bob uses b to 
decrypt his message received on line A-to-B, he faces the 
error pattern el © el , whose error rate we denote as e J~ . 
To help Bob correct for this error pattern, Alice sends to 
Bob error correction information encrypted with iV(e^~) 
bits of the pre-shared secret key. Therefore, the net key 
expansion length is 

AW.two-way = N[l - h{ef) - h(e p )}. (10) 

This represents the key generation rate for the integration 
of Protocol 1 and any of Protocols 2, 2b, 2c, and 2d. As 



Note that the order of applications of these two operations does 
not matter in light of Eq. J7) as swapping the order contributes 
a factor of —1 twice. 



The key bit error testing of Step 6 of Protocol DQKD is omitted 
in Protocol 2d for simplicity of discussion, but this step can easily 
be added without affecting the result. 
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expected, this is the same formula for the two-way DQKD 
protocol given in Eq. Q . As a special case, when the 
error rates on the two lines are both e&, the overall error 
rate et~ is upper-bounded by 2ef> since the errors on the 



Thus, the key generation 
— h(e p ), which is the same 



two lines can be correlated, 
rate in this case is 1 — h(2eb) 
as that derived for another two-way DQKD protocol in 
Ref. [11 (see Sec. Ill F therein). 

Note that as Alice and Bob are correcting the overall 
error pattern el © €2, they do not need to separately 
correct for the error e[ in their raw keys; i.e., they do 
not perform Step 5 of Protocol 1. This is reflected in the 
original two-way DQKD protocol in Sec. IIV1 



VI. CONCLUSIONS 

The central idea of our paper is delayed privacy ampli- 
fication and we have proved its security. Delayed PA is 
useful for secret key sharing between nodes of a QKD net- 
work assisted by trusted relays, and for the security proof 
of a qubit-based two-way DQKD protocol. We anticipate 
that delayed PA will have further uses in other applica- 
tions, such as the security proof of two-way continuous- 
variable QKD 39]. 

In this paper, we derived the qubit-based two-way 
DQKD protocol from an integration of the BB84 pro- 
tocol and OTP, with the condition that PA is delayed 
after the one-time pad. Because of our security proof of 

I 



delayed PA, the original security of BB84 directly carries 
over to the DQKD protocol. Thus, we have proved the 
security of the DQKD protocol against general attacks 
with qubit signals. This illustrates the power of the de- 
layed PA idea. 

Security analysis of DQKD with multi-qubit signals 
and decoy states [49ll5l| is beyond the scope of the cur- 
rent paper and will be left for future work. Also, using 
non-additive privacy amplification functions in delayed 
privacy amplification will be considered in the future. 
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Appendix A: Derivation of Eq. © from Eq. (Q 

We only derive Eq. ([5]) from Eq. ([7]). The deriva- 
tion of Eq. © is similar. First, we decompose l 1 ?}^ = 
J2i=o 1 Xi\i z ) A \ei) A wnere \i z ) A are the normalized eigen- 
states of basis z and A are normalized but not nec- 
essarily orthogonal. We trace the state of Eq. (0 over 
M 2 : 



P Ml AA = \ E \rn 1 } Ml (m 1 \®{P(XT\*} AA ) + P((X mi Z)A\*} AA )} 



mi =0,1 



-|0} Mi (0| ® P(\ \O z ) A \e ) A + XMMji) + P(X \O z ) A \e ) A - \i\l,) A \ei) A ) 



4 
1, 



-|l) Mi (l| ® P(X \l z ) A \e ) A + Xi\0,) A \e!) A ) + P{X \l z } A \e } A ~ Ai|0 2 ) A |ei>, 



2 

IA1I 2 



|0) Ml (0| ® |0,) A <0,| + |l) Ml (l| ® |1,) A (1,|J ® |eo)^(e | + 
|0) Ml (0| ® IUa<1*I + liWil ® |o*) A (o,|l ® |ei)^( ei |. 



The last equation is equal to Eq. (J5) by noting that as \^) AA = J2i=o 1 KVx) A Wi) A 
\V{k,z)) A = {k z \ A ®I A fi>) AA = X k \e k ) A -. 

The derivation of Eq. ([9]) from Eq. (UJ can be done in 
a similar manner by decomposing l 1 ! 7 }^ in the x basis 
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